Secure encryption enabled data clean room

ABSTRACT

Embodiments of the present disclosure may provide a data clean room allowing encryption based data analysis across multiple accounts of different database users. The data clean room may also restrict which data may be used in the analysis and may restrict the output. A requesting user&#39;s data can be encrypted using a key and a provider user can generate a shareable database function that accepts the key to decrypt the data to generate the results data without exposing each others&#39; data.

CROSS-REFERENCE TO RELATED APPLICATIONS

This application claims the benefit of priority of U.S. ProvisionalApplication No. 63/216,966, filed on Jun. 30, 2021, which isincorporated herein by reference in its entirety.

TECHNICAL FIELD

The present disclosure generally relates to securely analyzing datausing a data clean room of a distributed database.

BACKGROUND

Currently, most digital advertising is performed using third-partycookies. Cookies are small pieces of data generated and sent from a webserver and stored on the user's computer by the user's web browser thatare used to gather data about customers' habits based on their websitebrowsing history. Because of privacy concerns, the use of cookies isbeing restricted. Companies may want to create target groups foradvertising or marketing efforts for specific audience segments. To doso, companies may want to compare their customer information with thatof other companies to see if their customer lists overlap for thecreation of such target groups. Thus, companies may want to perform dataanalysis, such as an overlap analysis, of their customers or other data.

BRIEF DESCRIPTION OF THE DRAWINGS

Various ones of the appended drawings merely illustrate exampleembodiments of the present disclosure and should not be considered aslimiting its scope.

FIG. 1 illustrates an example computing environment in which anetwork-based database system can data clean rooms, according to someexample embodiments,

FIG. 2 is a block diagram illustrating components of a compute servicemanager, according to some example embodiments.

FIG. 3 is a block diagram illustrating components of an executionplatform, according to some example embodiments.

FIG. 4 is a computing environment conceptually illustrating an examplesoftware architecture executing a user defined function (UDE) by aprocess running on a given execution node of the execution platform,according to some example embodiments.

FIG. 5 shows an example of two separate accounts in a data warehousesystem, according to some example embodiments.

FIG. 6 is a block diagram illustrating a method for operating a dataclean room, according to some example embodiments.

FIGS. 7A and 7B a secure encryption-based clean room architecture;according to some example embodiments.

FIG. 8 shows a flow diagram of a method for implementing a secureencryption-based clean room architecture, according to some exampleembodiments.

FIGS. 9A and 9B show an example distributed database architecture forimplementing multi-entity database clean rooms, according to someexample embodiments.

FIG. 10 shows a flow diagram of an example method for implementing amulti-entity encryption-based data clean room queries, according to someexample embodiments.

FIG. 11 illustrates a diagrammatic representation of a machine in theform of a computer system within which a set of instructions may beexecuted for causing the machine to perform any one or more of themethodologies discussed herein, in accordance with some embodiments ofthe present disclosure.

DETAILED DESCRIPTION

The description that follows includes systems, methods, techniques,instruction sequences, and computing machine program products thatembody illustrative embodiments of the disclosure. In the followingdescription, for the purposes of explanation, numerous specific detailsare set forth in order to provide an understanding of variousembodiments of the inventive subject matter. It will be evident,however, to those skilled in the art, that embodiments of the inventivesubject matter may be practiced without these specific details. Ingeneral, well-known instruction instances, protocols, structures, andtechniques are not necessarily shown in detail.

As discussed, it can be difficult to securely and efficiently share databetween data stores of different entities. To this end, an encryptionbased data clean room can be implemented that performs direct matchingof data (e.g., user IDs) in the different data sets in anencryption-based approach using shared functions and shared dataobjects, in accordance with some example embodiments. As an example, arequester database account can seek to perform overlap analysis withdata of another account, e.g., user data of a provider database account.For example, the overlap analysis may require matching user identifiers(e.g., user IDs, emails) for users shared by the requestor and providerdatabase accounts. To this end, and in accordance with some exampleembodiments, the provider database account can generate available valuesthat the provider will include in a given query without exposing theunderlying data. For instance, the provider can specify that a zip-codecolumn of its user data can be included as part of the requester's query(e.g., referenced by a WHERE in a SELECT). Further, the requestoraccount specifies which of the requester's data is to be included in agiven query (e.g., columns, and/or rows) and encrypts this data using akey that is kept private to the requester. The provider account canfurther generate a secure sharable function that is configured toperform direct matching when called (e.g., by the requester), where thefunction is configured to accept as input a decrypt key. The requestorcan receive shared access to the function and run the function on therequester's encrypted data (e.g., using compute instances managed by therequester account), where the requester inputs the decrypt key to theshared function when initiated to perform direct matching of overlappingdata between the data sets and to generate results data in a secureencryption-based approach.

Further, the encryption based data clean room can be implemented toshare data between multiple entities, such as between a requesteraccount and a plurality of different provider accounts. In some exampleembodiments, the encryption based data clean room wraps encryptionfunctions from the different provider accounts around a requester'sencryption function such that direct encryption based matching can beperformed by the encryption based data clean room without exposing thedifferent provider's data to each other and the requester.

FIG. 1 illustrates an example shared data processing platform 100implementing secure messaging between deployments, in accordance withsome embodiments of the present disclosure, To avoid obscuring theinventive subject matter with unnecessary detail, various functionalcomponents that are not germane to conveying an understanding of theinventive subject matter have been omitted from the figures. However, askilled artisan will readily recognize that various additionalfunctional components may be included as part of the shared dataprocessing platform 100 to facilitate additional functionality that isnot specifically described herein.

As shown, the shared data processing platform 100 comprises thenetwork-based database system 102, a cloud computing storage platform104 (e.g., a storage platform, an AWS® service, Microsoft Azure®, orGoogle Cloud Services®), and a remote computing device 106. Thenetwork-based database system 102 is a network-based system used forstoring and accessing data (e.g., internally storing data, accessingexternal remotely located data) in an integrated manner, and reportingand analysis of the integrated data from the one or more disparatesources (e.g., the cloud computing storage platform 104). The cloudcomputing storage platform 104 comprises a plurality of computingmachines and provides on-demand computer system resources such as datastorage and computing power to the network-based database system 102.While in the embodiment illustrated in FIG. 1 , a network-based databasesystem is depicted, other embodiments may include other types ofdatabases or other data processing systems.

The remote computing device 106 (e.g., a user device such as a laptopcomputer) comprises one or more computing machines (e.g., a user devicesuch as a laptop computer) that execute a remote software component 108(e.g., browser accessed cloud service) to provide additionalfunctionality to users of the network-based database system 102. Theremote software component 108 comprises a set of machine-readableinstructions (e.g., code) that, when executed by the remote computingdevice 106, cause the remote computing device 106 to provide certainfunctionality. The remote software component 108 may operate on inputdata and generates result data based on processing, analyzing, orotherwise transforming the input data. As an example, the remotesoftware component 108 can an application that a data provider (e.g.,provider database account) or data consumer (e.g., requester databaseaccount) implement to interact with the network-based database system102 (e.g., a browser that creates active sessions with network servicesof the network-based database system 102 or cloud computing storageplatform 104).

The network-based database system 102 comprises an access managementsystem 110, a compute service manager 112, an execution platform 114,and a database 116. The access management system 110 enablesadministrative users to manage access to resources and services providedby the network-based database system 102. Administrative users cancreate and manage users, roles, and groups, and use permissions to allowor deny access to resources and services. The access management system110 can store share data that securely manages shared access to thestorage resources of the cloud computing storage platform 104 amongstdifferent users of the network-based database system 102, as discussedin further detail below.

The compute service manager 112 coordinates and manages operations ofthe network-based database system 102. The compute service manager 112also performs query optimization and compilation as well as managingclusters of computing services that provide compute resources (e.g.,virtual warehouses, virtual machines, EC2 clusters). The compute servicemanager 112 can support any number of client accounts such as end usersproviding data storage and retrieval requests, system administratorsmanaging the systems and methods described herein, and othercomponents/devices that interact with compute service manager 112.

The compute service manager 112 is also coupled to database 116, whichis associated with the entirety of data stored on the shared dataprocessing platform 100. The database 116 stores data pertaining tovarious functions and aspects associated with the network-based databasesystem 102 and its users.

In some embodiments, database 116 includes a summary of data stored inremote data storage systems as well as data available from one or morelocal caches. Additionally, database 116 may include informationregarding how data is organized in the remote data storage systems andthe local caches. Database 116 allows systems and services to determinewhether a piece of data needs to be accessed without loading oraccessing the actual data from a storage device. The compute servicemanager 112 is further coupled to an execution platform. 114, whichprovides multiple computing resources (e.g., virtual warehouses) thatexecute various data storage and data retrieval tasks, as discussed ingreater detail below.

Execution platform 114 is coupled to multiple data storage devices 124-1to 124-n that are part of a cloud computing storage platform 104. Insome embodiments, data storage devices 124-1 to 124-n are cloud-basedstorage devices located in one or more geographic locations. Forexample, data storage devices 1241 to 124-n may be part of a publiccloud infrastructure or a private cloud infrastructure. Data storagedevices 1241 to 124-n may be hard disk drives HDDs), solid state drives(SSDs), storage clusters, Amazon S3 storage systems or any other datastorage technology. Additionally, cloud computing storage platform 104may include distributed file systems (such as Hadoop Distributed FileSystems (HDFS)), object storage systems, and the like.

The execution platform 114 comprises a plurality of compute nodes (e.g.,virtual warehouses). A set of processes on a compute node executes aquery plan compiled by the compute service manager 112. The set ofprocesses can include: a first process to execute the query plan; asecond process to monitor and delete micro-partition files using a leastrecently used (LRU) policy, and implement an out of memory (OOM) errormitigation process; a third process that extracts health informationfrom process logs and status information to send back to the computeservice manager 112; a fourth process to establish communication withthe compute service manager 112 after a system boot; and a fifth processto handle communication with a compute cluster for a given job providedby the compute service manager 112 and to communicate information backto the compute service manager 112 and other compute nodes of theexecution platform 114.

The cloud computing storage platform 104 also comprises an accessmanagement system 118 and a web proxy 120. As with the access managementsystem 110, the access management system 118 allows users to create andmanage users, roles, and groups, and use permissions to allow or denyaccess to cloud services and resources. The access management system 110of the network-based database system 102 and the access managementsystem 118 of the cloud computing storage platform 104 can communicateand share information so as to enable access and management of resourcesand services shared by users of both the network-based database system102 and the cloud computing storage platform 104. The web proxy 120handles tasks involved in accepting and processing concurrent API calls,including traffic management, authorization and access control,monitoring, and API version management. The web proxy 120 provides HTTPproxy service for creating, publishing, maintaining, securing, andmonitoring APIs (e.g., REST APIs).

In some embodiments, communication links between elements of the shareddata processing platform 100 are implemented via one or more datacommunication networks. These data communication networks may utilizeany communication protocol and any type of communication medium. In someembodiments, the data communication networks are a combination of two ormore data communication networks (or sub-networks) coupled to oneanother. In alternate embodiments, these communication links areimplemented using any type of communication medium and any communicationprotocol.

As shown in FIG. 1 , data storage devices 124-1 to 124-N are decoupledfrom the computing resources associated with the execution platform 114.That is, new virtual warehouses can be created and terminated in theexecution platform 114 and additional data storage devices can becreated and terminated on the cloud computing storage platform. 104 inan independent manner. This architecture supports dynamic changes to thenetwork-based database system 102 based on the changing datastorage/retrieval needs as well as the changing needs of the users andsystems accessing the shared data processing platform 100. The supportof dynamic changes allows network-based database system 102 to scalequickly in response to changing demands on the systems and componentswithin network-based database system 102. The decoupling of thecomputing resources from the data storage devices 124-1 to 124-nsupports the storage of large amounts of data without requiring acorresponding large amount of computing resources. Similarly, thisdecoupling of resources supports a significant increase in the computingresources utilized at a particular time without requiring acorresponding increase in the available data storage resources.Additionally, the decoupling of resources enables different accounts tohandle creating additional compute resources to process data shared byother users without affecting the other users' systems. For instance, adata provider may have three compute resources and share data with adata consumer, and the data consumer may generate new compute resourcesto execute queries against the shared data, where the new computeresources are managed by the data consumer and do not affect or interactwith the compute resources of the data provider.

Compute service manager 112, database 116, execution platform 114, cloudcomputing storage platform 104, and remote computing device 106 areshown in FIG. 1 as individual components. However, each of computeservice manager 112, database 116, execution platform 114, cloudcomputing storage platform 104, and remote computing environment may beimplemented as a distributed system (e.g., distributed across multiplesystems/platforms at multiple geographic locations) connected by APIsand access information (e.g., tokens, login data), Additionally, each ofcompute service manager 112, database 116, execution platform 114, andcloud computing storage platform 104 can be scaled up or down(independently of one another) depending on changes to the requestsreceived and the changing needs of shared data processing platform 100.Thus, in the described embodiments, the network-based database system102 is dynamic and supports regular changes to meet the current dataprocessing needs.

During typical operation, the network-based database system 102processes multiple jobs (e.g., queries) determined by the computeservice manager 112. These jobs are scheduled and managed by the computeservice manager 112 to determine when and how to execute the job. Forexample, the compute service manager 112 may divide the job intomultiple discrete tasks and may determine what data is needed to executeeach of the multiple discrete tasks. The compute service manager 112 mayassign each of the multiple discrete tasks to one or more nodes of theexecution platform 114 to process the task. The compute service manager112 may determine what data is needed to process a task and furtherdetermine which nodes within the execution platform 114 are best suitedto process the task. Some nodes may have already cached the data neededto process the task (due to the nodes having recently downloaded thedata from the cloud computing storage platform 104 for a previous job)and, therefore, be a good candidate for processing the task. Metadatastored in the database 116 assists the compute service manager 112 indetermining which nodes in the execution platform 114 have alreadycached at least a portion of the data needed to process the task. One ormore nodes in the execution platform 114 process the task using datacached by the nodes and, if necessary, data retrieved from the cloudcomputing storage platform 104. It is desirable to retrieve as much dataas possible from caches within the execution platform 114 because theretrieval speed is typically much faster than retrieving data from thecloud computing storage platform 104.

As shown in FIG. 1 , the shared data processing platform 100 separatesthe execution platform 114 from the cloud computing storage platform.1.04. In this arrangement, the processing resources and cache resourcesin the execution platform 114 operate independently of the data storagedevices 124-1 to 124-n in the cloud computing storage platform 104.Thus, the computing resources and cache resources are not restricted tospecific data storage devices 1244 to 124-n. Instead, all computingresources and all cache resources may retrieve data from, and store datato, any of the data storage resources in the cloud computing storageplatform 104.

FIG. 2 is a block diagram illustrating components of the compute servicemanager 112, in accordance with some embodiments of the presentdisclosure. As shown in FIG. 2 , a request processing service 202manages received data storage requests and data retrieval requests(e.g., jobs to be performed on database data). For example, the requestprocessing service 202 may determine the data necessary to process areceived query (e.g., a data storage request or data retrieval request).The data may be stored in a cache within the execution platform 114 orin a data storage device in cloud computing storage platform 104. Amanagement console service 204 supports access to various systems andprocesses by administrators and other system managers. Additionally, themanagement console service 204 may receive a request to execute a joband monitor the workload on the system. The clean room engine 225manages performing secure queries on a data set shared by a plurality ofdatabase accounts (e.g., a requesting or consumer database account thatgenerates the request, and a provider database account that shares userdefined functions to complete the request), as discussed in furtherdetail below.

The compute service manager 112 also includes a job compiler 206, a joboptimizer 208, and a job executor 210. The job compiler 206 parses a jobinto multiple discrete tasks and generates the execution code for eachof the multiple discrete tasks. The job optimizer 208 determines thebest method to execute the multiple discrete tasks based on the datathat needs to be processed. The job optimizer 208 also handles variousdata pruning operations and other data optimization techniques toimprove the speed and efficiency of executing the job. The job executor210 executes the execution code for jobs received from a queue ordetermined by the compute service manager 112.

A job scheduler and coordinator 212 sends received jobs to theappropriate services or systems for compilation, optimization, anddispatch to the execution platform 114. For example, jobs may beprioritized and processed in that prioritized order. In an embodiment,the job scheduler and coordinator 212 determines a priority for internaljobs that are scheduled by the compute service manager 112 with other“outside” jobs such as user queries that may be scheduled by othersystems in the database but may utilize the same processing resources inthe execution platform 114. In some embodiments, the job scheduler andcoordinator 212 identifies or assigns particular nodes in the executionplatform 114 to process particular tasks. A virtual warehouse manager214 manages the operation of multiple virtual warehouses implemented inthe execution platform 114. As discussed below, each virtual warehouseincludes multiple execution nodes that each include a cache and aprocessor (e.g., a virtual machine, an operating system level containerexecution enviromnent).

Additionally, the compute service manager 112 includes a configurationand metadata manager 216, which manages the information related to thedata stored in the remote data storage devices and in the local caches(i.e., the caches in execution platform 114). The configuration andmetadata manager 216 uses the metadata to determine which datamicro-partitions need to be accessed to retrieve data for processing aparticular task or job. A monitor and workload analyzer 218 overseesprocesses performed by the compute service manager 112 and manages thedistribution of tasks (e.g., workload) across the virtual warehouses andexecution nodes in the execution platform 114. The monitor and workloadanalyzer 218 also redistributes tasks, as needed, based on changingworkloads throughout the network-based database system 102 and mayfurther redistribute tasks based on a user (e.g., “external”) queryworkload that may also be processed by the execution platform 114. Theconfiguration and metadata manager 216 and the monitor and workloadanalyzer 218 are coupled to a data storage device 220. Data storagedevice 220 in FIG. 2 represent any data storage device within thenetwork-based database system 102. For example, data storage device 220may represent caches in execution platform 114, storage devices in cloudcomputing storage platform 104, or any other storage device.

FIG. 3 is a block diagram illustrating components of the executionplatform 114, in accordance with some embodiments of the presentdisclosure. As shown in FIG. 3 , execution platform 114 includesmultiple virtual warehouses, which are elastic clusters of computeinstances, such as virtual machines. In the example illustrated, thevirtual warehouses include virtual warehouse 1, virtual warehouse 2, andvirtual warehouse n. Each virtual warehouse (e.g., EC2 cluster) includesmultiple execution nodes (e.g., virtual machines) that each include adata cache and a processor. The virtual warehouses can execute multipletasks in parallel by using the multiple execution nodes. As discussedherein, execution platform 114 can add new virtual warehouses and dropexisting virtual warehouses in real time based on the current processingneeds of the systems and users. This flexibility allows the executionplatform 114 to quickly deploy large amounts of computing resources whenneeded without being forced to continue paying for those computingresources when they are no longer needed. All virtual warehouses canaccess data from any data storage device (e.g., any storage device incloud computing storage platform 104).

Although each virtual warehouse shown in FIG. 3 includes three executionnodes, a particular virtual warehouse may include any number ofexecution nodes. Further, the number of execution nodes in a virtualwarehouse is dynamic, such that new execution nodes are created whenadditional demand is present, and existing execution nodes are deletedwhen they are no longer necessary (e.g., upon a query or jobcompletion).

Each virtual warehouse is capable of accessing any of the data storagedevices 124-1 to 124-n shown in FIG. 1 . Thus, the virtual warehousesare not necessarily assigned to a specific data storage device 124-1 to124-n and, instead, can access data from any of the data storage devices124-1 to 124-n within the cloud computing storage platform 104.Similarly, each of the execution nodes shown in FIG. 3 can access datafrom any of the data storage devices 1244 to 124-n. For instance, thestorage device 1244 of a first user (e.g., provider account user) may beshared with a worker node in a virtual warehouse of another user (e.g.,consumer account user), such that the other user can create a database(e.g., read-only database) and use the data in storage device 1244directly without needing to copy the data (e.g., copy it to a new diskmanaged by the consumer account user). In some embodiments, a particularvirtual warehouse or a particular execution node may be temporarilyassigned to a specific data storage device, but the virtual warehouse orexecution node may later access data from any other data storage device.

In the example of FIG. 3 , virtual warehouse 1 includes three executionnodes 302-1, 302-2, and 302-n. Execution node 302-1 includes a cache304-1 and a processor 306-1. Execution node 302-2 includes a cache 304-2and a processor 306-2. Execution node 302-n includes a cache 304-n and aprocessor 306-n. Each execution node 302-1, 302-2, and 302-n isassociated with processing one or more data storage and/or dataretrieval tasks. For example, a virtual warehouse may handle datastorage and data retrieval tasks associated with an internal service,such as a clustering service, a materialized view refresh service, afile compaction service, a storage procedure service, or a file upgradeservice. In other implementations, a particular virtual warehouse mayhandle data storage and data retrieval tasks associated with aparticular data storage system or a particular category of data.

Similar to virtual warehouse 1 discussed above, virtual warehouse 2includes three execution nodes 312-1, 312-2, and 312-n. Execution node312-1 includes a cache 314-1 and a processor 316-1. Execution node 312-2includes a cache 314-2 and a processor 316-2. Execution node 312-nincludes a cache 314-n and a processor 316-n. Additionally, virtualwarehouse 3 includes three execution nodes 322-1, 322-2, and 322-n.Execution node 322-1 includes a cache 324-1 and a processor 326-1.Execution node 322-2 includes a cache 324-2 and a processor 326-2.Execution node 322-n includes a cache 324-n and a processor 326-n.

In some embodiments, the execution nodes shown in FIG. 3 are statelesswith respect to the data the execution nodes are caching. For example,these execution nodes do not store or otherwise maintain stateinformation about the execution node, or the data being cached by aparticular execution node. Thus, in the event of an execution nodefailure, the failed node can be transparently replaced by another node.Since there is no state information associated with the failed executionnode, the new (replacement) execution node can easily replace the failednode without concern for recreating a particular state.

Although the execution nodes shown in FIG. 3 each include one data cacheand one processor, alternative embodiments may include execution nodescontaining any number of processors and any number of caches.Additionally, the caches may vary in size among the different executionnodes. The caches shown in FIG. 3 store, in the local execution node(e.g., local disk), data that was retrieved from one or more datastorage devices in cloud computing storage platform 104 (e.g., S3objects recently accessed by the given node). In some exampleembodiments, the cache stores file headers and individual columns offiles as a query downloads only columns necessary for that query.

To improve cache hits and avoid overlapping redundant data stored in thenode caches, the job optimizer 208 assigns input file sets to the nodesusing a consistent hashing scheme to hash over table file names of thedata accessed. (e.g., data in database 116 or database 122). Subsequentor concurrent queries accessing the same table file will therefore beperformed on the same node, according to some example embodiments.

As discussed, the nodes and virtual warehouses may change dynamically inresponse to environmental conditions (e.g., disaster scenarios),hardware/software issues (e.g., malfunctions), or administrative changes(e.g., changing from a large cluster to smaller cluster to lower costs).In some example embodiments, when the set of nodes changes, no data isreshuffled immediately. Instead, the least recently used replacementpolicy is implemented to eventually replace the lost cache contents overmultiple jobs. Thus, the caches reduce or eliminate the bottleneckproblems occurring in platforms that consistently retrieve data fromremote storage systems. Instead. of repeatedly accessing data from theremote storage devices, the systems and methods described herein accessdata from the caches in the execution nodes, which is significantlyfaster and avoids the bottleneck problem discussed above. In someembodiments, the caches are implemented using high-speed memory devicesthat provide fast access to the cached data. Each cache can store datafrom any of the storage devices in the cloud computing storage platform104.

Further, the cache resources and computing resources may vary betweendifferent execution nodes. For example, one execution node may containsignificant computing resources and minimal cache resources, making theexecution node useful for tasks that require significant computingresources. Another execution node may contain significant cacheresources and minimal computing resources, making this execution nodeuseful for tasks that require caching of large amounts of data. Yetanother execution node may contain cache resources providing fasterinput-output operations, useful for tasks that require fast scanning oflarge amounts of data. In some embodiments, the execution platform 114implements skew handling to distribute work amongst the cache resourcesand computing resources associated with a particular execution, wherethe distribution may be further based on the expected tasks to beperformed by the execution nodes. For example, an execution node may beassigned more processing resources if the tasks performed by theexecution node become more processor-intensive. Similarly, an executionnode may be assigned more cache resources if the tasks performed by theexecution node require a larger cache capacity. Further, some nodes maybe executing much slower than others due to various issues (e.g.,virtualization issues, network overhead). In some example embodiments,the imbalances are addressed at the scan level using a file stealingscheme. In particular, whenever a node process completes scanning itsset of input files, it requests additional files from other nodes. Ifthe one of the other nodes receives such a request, the node analyzesits own set (e.g., how many files are left in the input file set whenthe request is received), and then transfers ownership of one or more ofthe remaining files for the duration of the current job (e.g., query).The requesting node (e.g., the file stealing node) then receives thedata (e.g., header data) and downloads the files from the cloudcomputing storage platform 104 (e.g., from data storage device 124-1),and does not download the files from the transferring node. In this way,lagging nodes can transfer files via file stealing in a way that doesnot worsen the load on the lagging nodes.

Although virtual warehouses 1, 2, and n are associated with the sameexecution platform 114, the virtual warehouses may be implemented usingmultiple computing systems at multiple geographic locations. Forexample, virtual warehouse 1 can be implemented by a computing system ata first geographic location, while virtual warehouses 2 and n areimplemented by another computing system at a second geographic location.In some embodiments, these different computing systems are cloud-basedcomputing systems maintained by one or more different entities.

Additionally, each virtual warehouse is shown in FIG. 3 as havingmultiple execution nodes. The multiple execution nodes associated witheach virtual warehouse may be implemented using multiple computingsystems at multiple geographic locations. For example, an instance ofvirtual warehouse 1 implements execution nodes 302-1 and 302-2 on onecomputing platform at a geographic location and implements executionnode 302-n at a different computing platform at another geographiclocation. Selecting particular computing systems to implement anexecution node may depend on various factors, such as the level ofresources needed for a particular execution node (e.g., processingresource requirements and cache requirements), the resources availableat particular computing systems, communication capabilities of networkswithin a geographic location or between geographic locations, and whichcomputing systems are already implementing other execution nodes in thevirtual warehouse.

Execution platform 114 is also fault tolerant. For example, if onevirtual warehouse fails, that virtual warehouse is quickly replaced witha different virtual warehouse at a different geographic location.

A particular execution platform 114 may include any number of virtualwarehouses. Additionally, the number of virtual warehouses in aparticular execution platform is dynamic, such that new virtualwarehouses are created when additional processing and/or cachingresources are needed. Similarly, existing virtual warehouses may bedeleted when the resources associated with the virtual warehouse are nolonger necessary.

In some embodiments, the virtual warehouses may operate on the same datain cloud computing storage platform 104, but each virtual warehouse hasits own execution nodes with independent processing and cachingresources. This configuration allows requests on different virtualwarehouses to be processed independently and with no interferencebetween the requests. This independent processing, combined with theability to dynamically add and remove virtual warehouses, supports theaddition of new processing capacity for new users without impacting theperformance observed by the existing users,

FIG. 4 is a computing environment 400 conceptually illustrating anexample software architecture executing a user defined function (UDF) bya process running on a given execution node of the execution platform114, in accordance with some embodiments of the present disclosure. Asillustrated, the execution node 302-1 from the execution platform 114includes an execution node process 410, which in an embodiment isrunning on the processor 306-1 and can also utilize memory from thecache 304-1 (or another memory device or storage). As mentioned herein,a “process” or “computing process” can refer to an instance of acomputer program that is being executed by one or more threads by anexecution node or execution platform.

As mentioned before, the compute service manager 108 validates allcommunication from the execution platform 114 to validate that thecontent and context of that communication are consistent with thetask(s) known to be assigned to the execution platform 114. For example,the execution platform 114 executing a query A is not allowed to requestaccess to a particular data source (e.g., data storage device 226 or anyone of the storage devices in the cloud storage platform 104) that isnot relevant to query A. In an example, the execution node 302-1 mayneed to communicate with a second execution node (e.g., execution node302-2), but the security mechanisms described herein can disallowcommunication with a third execution node (e.g., execution node 312-1).Moreover, any such illicit communication can be recorded (e.g., in a log444 or other location), Further, the information stored on a givenexecution node is restricted to data relevant to the current query andany other data is unusable by destruction or encryption where the key isunavailable.

The execution node process 410 is executing a UDF client 412 in theexample of FIG. 4 . In an embodiment, the UDF client 412 is implementedto support UDFs written in a particular programming language such asJAVA, and the like. In an embodiment, the UDF client 412 is implementedin a different programming language (e.g., C or C++) than the user code430, which can further improve security of the computing environment 400by using a different codebase (e.g., one without the same or fewerpotential security exploits).

User code 430 may be provided as a package e.g., in the form of a JAR(JAVA archive) file which includes code for one or more UDFs. Serverimplementation code 432, in an embodiment, is a JAR file that initiatesa server which is responsible for receiving requests from the executionnode process 410, assigning worker threads to execute user code, andreturning the results, among other types of server tasks.

In an implementation, an operation from a UDF can be performed by a usercode runtime 424 executing within a sandbox process 420. In anembodiment, the user code runtime 424 is implemented as a virtualmachine, such as a JAVA virtual machine (=WM), Since the user coderuntime 424 advantageously executes in a separate process relative tothe execution node process 410, there is a lower risk of manipulatingthe execution node process 410. Results of performing the operation,among other types of information or messages, can be stored in a log 444for review and retrieval. In an embodiment, the log 444 can be storedlocally in memory at the execution node 302-1, or at a separate locationsuch as the storage platform 104. Moreover, such results can be returnedfrom the user code runtime 424 to the UDF client 412 utilizing ahigh-performance protocol (e.g., without serialization ordeserialization of data, without memory copies; operates on recordbatches without having to access individual columns, records or cells;utilizes efficient remote procedure call techniques and networkprotocol(s) for data transfer) for data transfer (e.g., distributeddatasets) that further provides authentication and encryption of thedata transfer. In an embodiment, the UDF client 412 uses a datatransport mechanism that supports a network transfer of columnar databetween the user code runtime 424 (and vice-versa) with theaforementioned advantages described above.

Security Manager 422, in an example, can prevent completion of anoperation from a given UDF by throwing an exception (e.g., if theoperation is not permitted), or returns (e.g., doing nothing) if theoperation is permitted. In an implementation, the Security Manager 422is implemented as a JAVA security manager object that allowsapplications to implement a security policy such as a security managerpolicy 442, and enables an application to determine, before performing apossibly unsafe or sensitive operation, what the operation is andwhether it is being attempted in a security context that allows theoperation to be performed. The security manager policy 442 can beimplemented as a file with permissions that, the user code runtime 424is granted. The application (e.g., UDF executed by the user code runtime424) therefore can allow or disallow the operation based at least inpart on the security policy.

Sandbox process 420, in an embodiment, is a sub-process (or separateprocess) from the execution node process 410. A sub-process, in anembodiment, refers to a child process of a given parent process (e.g.,in this example, the execution node process 410). The sandbox process420, in an example, is a program that reduces the risk of securitybreaches by restricting the running environment of untrustedapplications using security mechanisms such as namespaces and securecomputing modes (e.g., using a system call filter to an executingprocess and all its descendants, thus reducing the attack surface of thekernel of a given operating system). Moreover, in an example, thesandbox process 420 is a lightweight process in comparison to theexecution node process 410 and is optimized (e.g., closely coupled tosecurity mechanisms of a given operating system kernel) to process adatabase query in a secure manner within the sandbox environment.

In an embodiment, the sandbox process 420 can utilize a virtual networkconnection in order to communicate with other components within thesubject system. A specific set of rules can be configured for thevirtual network connection with respect to other components of thesubject system. For example, such rules for the virtual networkconnection can be configured for a particular UDF to restrict thelocations (e.g., particular sites on the Internet or components that theUDF can communicate) that are accessible by operations performed by theUDF. Thus, in this example, the UDF can be denied access to particularnetwork locations or sites on the Internet.

The sandbox process 420 can be understood as providing a constrainedcomputing environment for a process (or processes) within the sandbox,where these constrained processes can be controlled and restricted tolimit access to certain computing resources.

Examples of security mechanisms can include the implementation ofnamespaces in which each respective group of processes executing withinthe sandbox environment has access to respective computing resources(e.g., process IDs, hostnames, user IDs, file names, names associatedwith network access, and inter-process communication) that are notaccessible to another group of processes (which may have access to adifferent group of resources not accessible by the former group ofprocesses), other container implementations, and the like. By having thesandbox process 420 execute as a sub-process to the execution nodeprocess 410, in some embodiments, latency in processing a given databasequery can be substantially reduced (e.g., a reduction in latency by afactor of 10× in some instances) in comparison with other techniquesthat may utilize a virtual machine solution by itself.

As further illustrated, the sandbox process 420 can utilize a sandboxpolicy 440 to enforce a given security policy. The sandbox policy 440can be a file with information related to a configuration of the sandboxprocess 420 and details regarding restrictions, if any, and permissionsfor accessing and utilizing system resources. Example restrictions caninclude restrictions to network access, or file system access (e.g.,remapping file system to place files in different locations that may notbe accessible, other files can be mounted in different locations, andthe like). The sandbox process 420 restricts the memory and processor(e.g., CPU) usage of the user code runtime 424, ensuring that otheroperations on the same execution node can execute without running out ofresources.

As mentioned above, the sandbox process 420 is a sub-process (orseparate process) from the execution node process 410, which in practicemeans that the sandbox process 420 resides in a separate memory spacethan the execution node process 410. In an occurrence of a securitybreach in connection with the sandbox process 420 (e.g., by errant ormalicious code from a given UDF), if arbitrary memory is accessed by amalicious actor, the data or information stored by the execution nodeprocess is protected.

Although the above discussion of FIG. 4 describes components that areimplemented using JAVA (e.g., object oriented programming language), itis appreciated that the other programming languages (e.g., interpretedprogramming languages) are supported by the computing environment 400.In an embodiment, PYTHON is supported for implementing and executingUDFs in the computing environment 400. In this example, the user coderuntime 424 can be replaced with a PYTHON interpreter for executingoperations from UDFs (e.g., written in PYTHON) within the sandboxprocess 420.

FIG. 5 shows an example of two separate accounts in a data warehousesystem, according to some example embodiments. Here, Company A mayoperate an account A 502 with a network-based data warehouse system asdescribed herein. In account A 502, Company A data 504 may be stored.The Company A data 504 may include, for example, customer data 506relating to customers of Company A. The customer data 506 may be storedin a table or other format storing customer information and otherrelated information. The other related information may includeidentifying information, such as email, and other known characteristicsof the customers, such as gender, geographic location, purchasinghabits, and the like. For example, if Company A is a consumer-goodscompany, purchasing characteristics may be stored, such as whether thecustomer is single, married, part of a suburban or urban family, etc. IfCompany A is a streaming service company, information about the watchinghabits of customers may be stored, such as whether the customer likessci-fi, nature, reality, action, etc.

Likewise, Company B may operate an account B 512 with the network-baseddatabase system as described herein. In account B 512, Company B data514 may be stored. The Company B data 514 may include, for example,customer data relating to customers of Company B. The customer data 516may be stored in a table or other format storing customer informationand other related information. The other related information may includeidentifying information, such as email, and other known characteristicsof the customers, such as gender, geographic location, purchasinghabits, etc., as described above.

For security and privacy reasons, Company A's data may not be accessibleto Company B and vice versa. However, Company A and Company B may wantto share at least some of their data with each other without revealingsensitive information, such as a customer's personal identityinformation. For example, Company A and Company B may want to explorecross marketing or advertising opportunities and may want to see howmany of their customers overlap and filter based on certaincharacteristics of the overlapping customers to identify relationshipsand patterns.

To this end, a data clean room may be provided by the network-baseddatabase system as described herein. FIG. 6 is a block diagramillustrating a method for operating a data clean room, according to someexample embodiments. The data clean room may enable companies A and B toperform overlap analysis on their company data, without sharingsensitive data and without losing control over the data. The data cleanroom may create linkages between the data for each account and mayinclude a set of blind cross reference tables.

Next, example operations to create the data clean room are described.Account B may include customer data 602 for Company B, and account A mayinclude customer data 604 for Company A. In this example, account B mayinitiate the creation of the data clean room; however, either accountmay initiate creation of the data clean room. Account B may create asecure function 606. The secure function 606 may look up specificidentifier information in account B's customer data 602. The securefunction 606 may anonymize the information by creating identifiers foreach customer data (e.g., generating a first result set). The securefunction 606 may be a secure user-defined function (e.g., database UDFthat operates on tables UDTF, a java. UDF that opens a Jar file toexecute one or more java functions to return data).

The secure function 606 may be implemented as a SQL IMF. The securefunction 606 may be defined to protect the underlying data used toprocess the function. As such, the secure function 606 may restrictdirect and indirect exposure of the underlying data.

The secure function 606 may then be shared with account A using a secureshare 608. The secure share 608 may allow account A to execute thesecure function 606 while restricting account A from having access tothe underlying data of account B used by the function and from beingable to see the code of the function. The secure share 608 may alsorestrict account A from accessing the code of the secure function 606.Moreover, the secure share 608 may restrict account A from seeing anylogs or other information about account B's use of the secure function606 or the parameters provided by account B of the secure function 606when it is called.

Account A may execute the secure function 606 using customer data 604(e.g., generating a second result set). The result of the execution ofthe secure function 606 may be communicated to account B. For instance,a cross reference table 610 may be created in account B, which mayinclude anonymized customer information 612 (e.g., anonymizedidentification information, private salted by provider's secret salt, orvia encryption as discussed below with reference to FIGS. 7A-10 ).Likewise, a cross reference table 614 may be created in account A, whichmay include anonymized customer information 616 for matching overlappingcustomers for both companies, and dummy identifiers for non-matchingrecords. The data from the two companies may be securely joined so thatneither account may access the underlying data or other identifiableinformation.

For instance, cross reference table 610 (and anonymized customerinformation 612) may include fields: “my_cust_id,” which may correspondto the customer if in account B's data; “my_link_id,” which maycorrespond to an anonymized link to the identified customer information;and a “their_link_id,” which may correspond to an anonymized matchedcustomer in company A. “their_link_id.” may be anonymized salted), sothat company B cannot discern the identity of the matched customers. Theanonymization may be performed using hashing, encryption, tokenization,or other suitable techniques.

Moreover, to further anonymize the identity, all listed customers ofcompany B in cross reference table 610 (and anonymized customerinformation 612) may have a unique matched customer from company Blisted, irrespective of whether there was an actual match or not. Adummy “their_link_id” may be created for customers not matched. This wayneither company may be able to ascertain identity information of thematched customers. Neither company may discern where there is an actualmatch rather than a dummy returned identifier (no match). Hence, thecross reference tables 610 may include anonymized key-value pairs. Asummary report may be created notifying the total number of matches, butother details of the matched customers may not be provided to safeguardthe identities of the customers.

FIGS. 7A and 7B show a secure encryption-based clean room architecture,according to some example embodiments. In the example illustrated,Requester Database Account 705 is shown in FIG. 7A and the ProviderDatabase Account 750 is shown in FIG. 7B, and data transferred betweenthe accounts is shared (e.g., via metadata pointers), as indicated bythe double-side arrows at the top of FIGS. 7A and 7B, and thedisconnected. A, B, and C arrows at the sides of FIGS. 7A and 7B. Withreference to the Requester Database Account 705 in FIG. 7A, therequester data set 702 comprises requester-specific data to be used inclean room requests, according to some example embodiments. Withreference to the Provider Database Account 750 in FIG. 7B, the providerdata set 759 comprises provider-specific data to be used in clean roomrequests, according to some example embodiments. The data flows 3A, 3B,and 3C are optional, in accordance with some example embodiments, andcan be implemented to perform complex join queries. For example, inqueries that require complex joining of one or more tables, encryptingthe data may be impractical to join, and as such the data flows 3A, 3B,and 3C can be implemented instead to perform joins on unencrypted data.

With reference to Provider Database Account 750 in FIG. 7B, at data flow3A, the Provider Account Cleanroom Cross Reference Table 754 isgenerated by the Provider Database Account 750, which stores theProvider ID(s) hashed with a private salt that is private to theProvider Database Account 750. At data flow 3B (in FIG. 7B), a SecureHash. Lookup Function 752 is created and shared from the ProviderDatabase Account 750 to the Requester Database Account 705 as a SharedSecure Hash Lookup Function 712 (FIG. 7A) to enable lookup of hashed IDsfrom the Provider Account Cleanroom. Cross Reference Table 754.

With reference to the data flow 3C in FIG. 7A, the Requester DatabaseAccount 705 calls the Shared. Secure Hash Lookup Function 712 (“SecureFunction Lookup_Hashed_ID( )”) using a Stored Procedure 714 (“CrossRefLookup”), which generates the requester's Cross Reference Table 716 inthe Requester Database Account 705.

With reference to Provider Database Account 750 of FIG. 7B, theAvailable Values Table 755 is created by the Provider Database Account750, which is then shared with the Requester Database Account 705 asAvailable Values Table 717 (in FIG. 7A). The Available Values table 755specifies data from the Provider Data Set 759 to which the RequesterDatabase Account 705 has access (e.g., referenced by a WHERE in a SELECTquery from the requester). That is, the Available Values Table 755species which parts of a provider's data can be used in a givenRequester's query (e.g., SQL select statements), or used as filters in agiven clean room request when the given clean room request is generatedby the Requester Database Account 705. For example, the Provider mayspecify in the Available Values Table 755 one or more columns or rows ofthe Provider Data Set 759 that can be included in a Requester's query(e.g., reference in a SELECT statement of the requester query), and anycolumns or rows not in the Available Values Table 755 (e.g., customersocial security numbers) or rows (e.g., subsets of customer data ofcustomer's under 1.8 years old) are not includable in the requester'sclean room requests.

In FIG. 7A, the Requester Database Account 705, prior to generating arequest, can generate the My Data Table 721, which functions as apre-filters for the final results data by sharing encrypted data ofcolumns or rows (from the requester data set 702) that are to be used ina given clean room request from the Requester Database Account 705(where data not included in the My Data Table 721 are not used in thequery, nor are matched or otherwise correlated with the Provider'sdata). The Requester ID(s) (e.g., customer emails) will be encrypted andincluded in the My Data Table 72, in accordance with some exampleembodiments. In some example embodiments, the encrypted data isencrypted using a pass phrase, e.g., in AES-256 based encryption. Inaccordance with some example embodiments, a clean room request iscreated when the Requester Database Account 705 inserts query data(e.g., clean room request) into the My Secure Query Requests Table 722which is then shared as My Secure Query Requests Table 723 in theProvider Database Account 750. As an example, the inserted request datacan include: select/group by columns and filter parameters, which canspecify data fields (e.g., columns) from both the Requester DatabaseAccount 705 and the Provider Database Account. 750 to be correlated andprocessed to generate final results for that given query.

With reference to the Requester Database Account 705, upon a requestbeing inserted into the My Secure Query Requests Table 722, the querydata is shared with the Provider Database Account 750 as in the MySecure Query Requests Table 723. The Query Runner Stored Procedure 777accepts the new request, validates it against the Available Values Table755 of the Provider Database Account 750, applies any restrictions orthresholds (e.g., rejects or removes data not accessible per theAvailable Values Table 755), and the Provider Database Account 750builds a Secure User Defined Table Function 778 (UDTF, e.g., “SecureUser Defined Table Function Generate Results( )”) as a share-ablefunction that is call-able by others (e.g., the Requester, to run on therequester's compute instances via secure sandbox processes) who can passin data (the key) and run the function from a client of an executionnode of the requestor in secure sandbox processes (e.g., via sandboxprocess 420), as discussed above with reference to FIG. 4 .

Whereas in the cross reference table approach, discussed above, performspre-matching of hashed and cross referenced data to correlate user IDsthat match in the respective data sets (e.g., matching emails inrequester and provider data sets), the Secure User Defined TableFunction 778 is a shareable secure function that accepts a decrypt key(as a parameter or input to the function upon the function being called,e.g., by the requester for a given clean room query).

In accordance with some example embodiments, anytime the Secure UserDefined Table Function 778 performs a join or otherwise references agiven column of the My Data Table 767, the Secure User Defined. TableFunction 778 is configured to wrap a decryption function around thejoined or referenced data (e.g., columns specified in the query), wherethe function is configured to use an function input that is to be inputby the requester (e.g., input decrypt pass phrase input by therequestor) as a decryption key to access the requesters user ID (e.g.,user email) in plain text, which can then matched against the provider'sdata set (e.g., a matching email) in the sandbox processes of the SecureUser Defined. Table Function 778 (to run the UDF on the requestorscompute instances). The Secure User Defined Table Function 778 thusworks as a query that joins the two sets of data together (the providerand requester user IDs or emails that match), based on a givenidentifier (a customer having accounts in the requester's data and theprovider's data). In this way, the Query Runner Stored Procedure 777creates the Secure User Defined Table Function 778 to directly match theIDs of the Requester Database Account 705 to the IDs of the ProviderDatabase Account 750, directly, without using the cross reference table.Although as discussed, in some example embodiments, if the data cleanroom request is complex, the cross referenced data may be used toperform further join operations. An example a pure encryption based dataclean room request that does not implement the cross reference approachincludes directly matching email to email (or other single, one-to-oneidentifier based matching). An example of a complex query that mayfurther implement the cross referenced table data includes any join orquery processes that requires more than one-to-one matching ofidentifiers, such as obfuscating each users geographic area (e.g., inthose example embodiments, further join or query operations can beperformed using the pre-matching approach, and the encryption matchingcan be implemented using the encryption direct matching).

While the Provider Database Account 750 can view the query (e.g., viewthe Secure User Defined Table Function 778, such as view the columns' ofthe provider that the Requester Database Account 705 is specifying inthe query), the Provider Database Account 750 cannot run the Secure UserDefined. Table Function 778 to generate results since the ProviderDatabase Account 750 does not have the requester's decrypt key to passin as a function parameter for the Secure User Defined Table Function778.

The Secure User Defined Table Function 778 is then shared with theRequester Database Account 705 as Shared. Secure User Defined TableFunction 747 in FIG. 7A. The Requester Database Account 705 then inputsthe decryption passphrase as a parameter input to the Shared Secure UserDefined Table Function 747 to decrypt and access the data and generatethe clean room request results. For example, the Requester DatabaseAccount 705 runs the Shared Secure User Defined Table Function 747 onits own commute instances (e.g., FIG. 3 ) to decrypt the encrypted datain the My Data Table 721 using the pass phrase and accesses portions ofthe provider's data using shared access (e.g., using metadata pointers,metadata stored in data storage device 220, FIG. 2 ).

FIG. 8 shows a flow diagram of a method 800 for implementing a secureencryption-based clean room architecture, according to some exampleembodiments. At operation 805, the Requester Database Account 705generates requester data, such as the requester data set 702 (FIG. 7A).At operation 810, the Provider Database Account 750 generates providerdata, such as the provider data set 759 (FIG. 7B) and the ProviderAccount Cleanroom Cross Reference table 754, for optional complex joins.For example, the encryption-based direct matching can be performed firstfollowed by more complex cross-reference table based joins to generatequery data. At operation 815, the Provider Database Account 750generates and shares which portions of the provider data is accessiblein the query, as an available values table 755. At operation 820, theRequester Database Account 705 generates shared tables for use in theclean room queries. For example, the Requester Database Account 705generates the My Data Table 721 and My Secure Query Requests Table 722which is shared with the Provider Database Account 750 as My SecureQuery Requests Table 723 and My Data Table 767. As discussed, the dataof the My Data Table 721 is encrypted with a pass phrase (e.g., AES 256encryption pass phrase, pass key, encryption key) that is private orsecret to the Requester Database Account 705.

At operation 825, the Requester Database Account 705 generates a cleanroom request. For example, the Requester Database Account 705 inserts aquery request into the My Secure Query Requests Table 722, which isshared with the Provider Database Account 750 in My Secure QueryRequests Table 723, which initiates the Query Runner Stored Procedure777 of the Provider Database Account 750.

At operation 830, the Provider Database Account 750 initiates (e.g.,runs) the Query Runner Stored. Procedure 777 which generates the SecureUser Defined Table Function 778, which accepts the decryption key as aparameter. At operation 835, the Provider Database Account 750 shares anencrypted table function. For example, the Provider Database Account 750shares the Secure User Defined Table Function 778 with the RequesterDatabase Account 705 as Shared Secure User Defined Table Function 747.

At operation 840, the Requester Database Account 705 generates resultsdata by passing the Shared Secure User Defined Table Function 747 thedecrypt pass phrase, and the Shared. Secure User Defined Table Function747 (running on compute instances of the Requester Database Account 705)decrypts the requester data and matches it to user IDs the providersdata set 759 which are accessed using metadata references, withoutexposing the data to the requester database account, in accordance withsome example embodiments. In this way, the direct matching occurs whenthe Requester Database Account 705 calls the Shared Secure User DefinedTable Function 747 (as the Provider Database Account 750 cannot executethe function because the provider does not have the encryption passphrase that is used to encrypt the requester data to generate resultsdata). At operation 845, the results data is displayed. (e.g., displaysthe results data on a display device of the Requester Database Account705).

FIGS. 9A and 9B show an example distributed database architecture forimplementing multi-entity database clean rooms (e.g., three or moredifferent accounts of different organizations or users of thenetwork-based database system 102, FIG. 1 ), according to some exampleembodiments. As illustrated, a Requester Database Account 905 (FIG. 9A)shares data with a Provider A Database Account 950 (FIG. 9B) andProvider B Database Account 990 (FIG. 9B), as indicated by thedouble-side share arrows at the top of FIGS. 9A and 9B. Further, the“A”, “B”, “C”, and “D” arrows are disconnected arrows between itemsshared across FIGS. 9A and 9B. As an example, the Requester DatabaseAccount 905 is a media company that runs advertising campaigns (e.g.,purchases ads) from multiple advertisers, each of which have differentand independent distributed database accounts the network-based databasesystem 102, as discussed above, with reference to FIGS. 1-3 . As anexample, Provider A Database Account 950 can include a first mediastreaming platform that provides advertisement services (e.g., adspace), and Provider B Database Account 990 can be another mediastreaming platform that similarly provides advertisement services. Whiledatabase clean rooms can implement sharing between a single requesterand single provider (discussed in the approaches above), implementing asecure data clean room that enables the requester access toadvertisement results data (e.g., ad metrics and performance) frommultiple different provider advertisers can be difficult to implement ina secure manner (e.g., without exposing the data of Provider A DatabaseAccount 950 to Provider B Database Account 990, and vice versa). As anadditional example, the Requester Database. Account 905 can be a productcompany (e.g., product company that is purchasing ad space for differentproducts or services), the Provider A Database Account 950 can be astreaming platform that provides advertisement services (e.g., displaysthe ads on a network site), and Provider B Database Account 990 can be abrick-and-mortar store that physically sells advertised products of theRequester Database Account 905. In this example, it can be difficult totrack conversion from purchased ads that were displayed to end-users(e.g., users that view a given ad) to those end-users later purchasingthe product (e.g., in the brick-and-mortar store) due to thecomputational difficulties of securely sharing the data from differentproviders and the requester.

To this end, the clean room engine 225 implements an encryption-baseddatabase clean room that can share data between multiple entities (e.g.,three or more entities or accounts of the network-based database system102), including a Requester Database Account 905 and multiple provideraccounts (e.g., Provider A Database Account 950, Provider B DatabaseAccount 990), where user data (e.g., user IDs of the end-users of thedifferent accounts) is provided and securely shared via one or moreencryption mechanisms, and the Requester Database Account 905 canperform verification and analysis of the data from the differentproviders entirely on the database account instance of the requester(e.g., on database storage devices and compute instances of theRequester Database Account 905 of the network-based database system102), in accordance with some example embodiments.

With reference to FIG. 9B, the Provider A Database Account 950 creates aProvider_A User ID Encryption Secure Function 952 which is a shareablesecure function that can be shared with the Requester Database Account905, which is encrypted by an encryption function of the Provider ADatabase Account 950 (e.g., with keys that are private to thatprovider).

The Provider B Database Account 990 generates a similar function:Provider_B User ID Encryption Secure Function 992A, which is encryptedby an encryption function of the Provider B Database Account 990 (e.g.,with keys that are private to the Provider B Database Account 990). TheProvider_B User ID Encryption Secure Function 992A is then shared fromthe Provider B Database Account 990 to the Provider A Database Account950 as Provider_B User ID Encryption Secure Function 992B, which can beused to wrap functions and which can be called in execution to generateresults data (e.g., shared with the Requester Database Account 905 andexecuted to provide end-user ID direct matching, without exposing thesecure function's data to the Requester Database Account 905), inaccordance with some example embodiments.

With reference to FIG. 9A, the Requester Database Account 905 generatesa My Data Table 907A which is the input data from the Requester DatabaseAccount 905 that is to be used for completing multi-entity data cleanroom queries that are generated by the requester. Further, the RequesterDatabase Account 905 generates a Decrypt_ID Secure Function 909A whichis configured to perform decryption of the encrypted IDs in the My Data.Table 907A. In some example embodiments, the Decrypt_ID Secure Function909A stores a private pass key of the Requester Database Account 905(e.g., AES 256 decryption key, pass phrase) which can be initiated todecrypt the IDs (user IDs) that are included in the My Data Table 907A,according to some example embodiments.

To initiate a multi-entity encryption-secured data clean room query, theRequester Database Account 905 adds query data to the My Secure QueryRequests Table 911A which is part of the clean room shared 913A which isshared with Provider A Database Account 950 (in FIG. 9B) as the sharedclean room data 913B (shared object), which, as depicted, includes theMy Secure Query Requests Table 911B, which further comprises the data ofthe newly added request. The newly added query request initiates streamsand tasks to run a Stored Procedure Query Runner 961 in FIG. 9B, inaccordance with some example embodiments.

To generate data for the received request, in response to the StoredProcedure Query Runner 961 running, the Provider A Database Account 950begins by creating an ID Encrypted Table 962A by cycling through the MyData Table 907B (shared object) in micro batches. In some exampleembodiments, the micro batches are mixed or re-ordered so they are notincluded in the initial order such that are not identifiable in the IDEncrypted Table 962A.

The ID Encrypted Table 962A integrates the My Data Table 907B bywrapping the Secure Function Decrypt_ID 909B (shared object from theRequester Database Account 905) around the table of encrypted IDs in theMy Data Table 907B (the shared object), and further wrapping the twoencryption functions—Provider_B User ID Encryption Secure Function 992B,and the Provider_A User ID Encryption Secure Function 952—around the MyData Table 907B (which is already wrapped Secure Function Decrypt_ID909B), which results in triple encrypted data that uses the user IDsfrom the requester side as encrypted by the encryption functions of theproviders. The triple encrypted object, ID Encrypted Table 962A, is thenshared from the Provider A Database Account 950 to the RequesterDatabase Account 905 as the ID Encrypted. Table 962B (FIG. 9A), inaccordance with some example embodiments.

The Provider A Database Account 950 (FIG. 9B) then creates a table ofexposure data, encrypted exposure data table 981A, which is encrypted byencryption functions of the two providers (the Provider_B User IDEncryption Secure Function 992B and Provider_A. User ID EncryptionSecure Function 952). The encrypted exposure data table 981A is createdfrom the provider source data 982 (e.g., ad performance metrics,advertising exposure data set, reach and frequency data of different adsand users from provider data set 967), for those user IDs that matchbetween the requester and providers (e.g., via direct matching without;a cross reference table). The encrypted exposure data table 981A isshared with the Requester Database Account 905 as encrypted exposuredata table 981B.

In some example embodiments, the encrypted exposure data table 981A isonly encrypted by the Provider_B User ID Encryption Secure Function 992Band the Provider_A User ID Encryption Secure Function 952, not by therequester's function (Secure Function Decrypt_ID 909B). In some exampleembodiments to ensure that the data decrypts, the same ordering that isused to wrap the functions to create the ID Encrypted Table 962A (FIG.9B) is used to create the encrypted exposure data table 981A (FIG. 9B).That is for example, if the Provider_B User ID Encryption SecureFunction 992B is wrapped around the Provider_A User ID Encryption SecureFunction 952, which is further wrapped around the secure function 909B(which further is wrapped around My Data. Table 907B), then to createthe encrypted exposure data table 981A, the provider source data 982(e.g., ad exposure data) is wrapped by the Provider_B User ID EncryptionSecure Function 992B and further by, the Provider_A User ID EncryptionSecure Function 952 to maintain the encryption order, such the datadecrypts correctly when called by the query code of the RequesterDatabase Account 905, in accordance with some example embodiments.

Once the Requester Database Account 905 receives the 1D Encrypted Table962B (e.g., receives shared access to the ID Encrypted Table 962A), andfurther receives the encrypted exposure data table 981B (e.g., receivesshared access to the encrypted exposure data table 981A), the RequesterDatabase Account 905 performs joins on the tables' data to initiateattribution modeling on the joined data using attribution modelingfunction 933 (e.g., machine learning, data modeling and analysisfunctions). That is, for example, the ID Encrypted Table 962B is therequester's user ID data (triple encrypted, as discussed), and theencrypted exposure data table 981B is the exposure data (e.g., ProviderA's user data, such as ad performance) which includes the attributes anddata values to enable the Requester Database Account 905 to performreach and frequency analysis of the providers' services (e.g., adservices, product sales data) of the multiple providers. Although in theillustrated example of FIGS. 9A and 9B, a requester performs clean roomanalysis on two providers, it is appreciated that the number ofproviders can be scaled such that the requester can efficiently performanalysis on each provider with which the requester interacts (e.g., fourprovider accounts that provide ad space, one physical store provideraccount that sells products, and three online network retailers thatsell the product(s)).

FIG. 10 shows a flow diagram of an example method 1000 for implementinga multi-entity encryption-based data clean room queries, according tosome example embodiments. At operation 1005, the secure functions of theprovider accounts are generated (e.g., Provider_B User ID EncryptionSecure Function 992B, from the Provider B Database Account 990; and theProvider_A User ID Encryption Secure Function 952, from Provider ADatabase Account 950), At operation 1010, the requester data tables aregenerated (e.g., My Data Table 907A, Decrypt_ID Secure Function 909A,and My Secure Query Requests Table 911A), which are shared with theProvider A Database Account 950 in FIG. 9B, as discussed above. Atoperation 1015, a multi-entity query request is generated. For example,the Requester Database Account 905 adds new query request data to the MySecure Query Requests Table 911A (FIG. 9A) which is shared with theProvider A Database Account 950 in the My Secure Query Requests Table911B (FIG. 9B).

At operation 1020, multi-entity ID data is generated. For example, theProvider A Database Account 950 generates the ID Encrypted Table 962A bya wrapping the My Data Table 907B with the Secure Function Decrypt_ID909B, which is then wrapped by Provider_B User ID Encryption SecureFunction 992B, which is then further wrapped by the Provider_A User IDEncryption Secure Function 952. After the ID Encrypted Table 962A isgenerated by the Provider A Database Account 950, the ID Encrypted Table962A is shared with the Requester Database Account 905 as the IDEncrypted. Table 962B On. FIG. 9A).

At operation 1025, the provider data is generated. For example theProvider A Database Account 950 generates the encrypted exposure datatable 981A by wrapping the exposure data set of the provider source data982 using the Provider_B User ID Encryption Secure Function 992B and theProvider_A User ID Encryption Secure Function 952 (e.g., in the sameorder as was used to create the ID Encrypted Table 962A, albeit withoutfirst wrapping the data with the Secure Function. Decrypt_ID 909B). Oncegenerated, the encrypted exposure data table 981A is shared with theRequester Database Account 905 as the encrypted exposure data table981B.

At operation 1030, the results data is generated. For example, theRequester Database Account 905 can perform joins on the ID EncryptedTable 962B and the encrypted exposure data table 981B, and an analysisfunction is applied to the joined data e.g., attribution modelingfunction 933). In some example embodiments, the requester's user data isdecrypted using the passkey within the Decrypt_ID Secure Function 909A,with the encryption functions of the providers, where direct matchingcan be implemented using the shared functions of the providers:Provider_B User ID Encryption Secure Function 992B and the Provider_AUser ID Encryption Secure Function 952, which can access the respectiveproviders user ID data behind the scenes, as secure function operations(UDFs) of the respective providers (respective sandbox processes),without exposing the function operations (and underlying data, such asexposure data) to the requester account that is executing the functionsto generate to the results data.

FIG. 11 illustrates a diagrammatic representation of a machine 1100 inthe form of a computer system within which a set of instructions may beexecuted for causing the machine 1100 to perform any one or more of themethodologies discussed herein, according to an example embodiment.Specifically, FIG. 11 shows a diagrammatic representation of the machine1100 in the example form of a computer system, within which instructions1116 (e.g., software, a program, an application, an applet, an app, orother executable code) for causing the machine 1100 to perform any oneor more of the methodologies discussed herein may be executed. Forexample, the instructions 1116 may cause the machine 1100 to execute anyone or more operations of any one or more of the methods describedherein. As another example, the instructions 1116 may cause the machine1100 to implemented portions of the data flows described herein. In thisway, the instructions 1116 transform a general, non-programmed machineinto a particular machine 1100 (e.g., the remote computing device 106,the access management system 110, the compute service manager 112, theexecution platform 114, the access management system 118, the Web proxy120, remote computing device 106) that is specially configured to carryout any one of the described and illustrated functions in the mannerdescribed herein.

In alternative embodiments, the machine 1100 operates as a standalonedevice or may be coupled (e.g., networked) to other machines. In anetworked deployment, the machine 1100 may operate in the capacity of aserver machine or a client machine in a server-client networkenvironment, or as a peer machine in a peer-to-peer (or distributed)network environment. The machine 1100 may comprise, but not be limitedto, a server computer, a client computer, a personal computer (PC), atablet computer, a laptop computer, a netbook, a smart phone, a mobiledevice, a network router, a network switch, a network bridge, or anymachine capable of executing the instructions 1116, sequentially orotherwise, that specify actions to be taken by the machine 1100.Further, while only a single machine 1100 is illustrated, the term“machine” shall also be taken to include a collection of machines 1100that individually or jointly execute the instructions 1116 to performany one or more of the methodologies discussed herein.

The machine 1100 includes processors 1110, memory 1130, and input/outputI/O) components 1150 configured to communicate with each other such asvia a bus 1102. In an example embodiment, the processors 1110 (e.g., acentral processing unit (CPU), a reduced instruction set computing(RISC) processor, a complex instruction set computing (CISC) processor,a graphics processing unit (GPU), a digital signal processor (DSP), anapplication-specific integrated circuit (ASIC), a radio-frequencyintegrated circuit (MC), another processor, or any suitable combinationthereof) may include, for example, a processor 1112 and a processor 1114that may execute the instructions 1116. The term “processor” is intendedto include multi-core processors 1110 that may comprise two or moreindependent processors (sometimes referred to as “cores”) that mayexecute instructions 1116 contemporaneously. Although. FIG. 11 showsmultiple processors 1110, the machine 1100 may include a singleprocessor with a single core, a single processor with multiple cores(e.g., a multi-core processor), multiple processors with a single core,multiple processors with multiple cores, or any combination thereof.

The memory 1130 may include a main memory 1132, a static memory 1134,and a storage unit 1136, all accessible to the processors 1110 such asvia the bus 1102. The main memory 1132, the static memory 1134, and thestorage unit 1136 comprising a machine storage medium 1138 may store theinstructions 1116 embodying any one or more of the methodologies orfunctions described herein. The instructions 1116 may also reside,completely or partially, within the main memory 1132, within the staticmemory 1134, within the storage unit 1136, within at least one of theprocessors 1110 (e.g., within the processor's cache memory), or anysuitable combination thereof, during execution thereof by the machine1100.

The I/O components 1150 include components to receive input, provideoutput, produce output, transmit information, exchange information,capture measurements, and so on. The specific I/O components 1150 thatare included in a particular machine 1100 will depend on the type ofmachine. For example, portable machines such as mobile phones willlikely include a touch input device or other such input mechanisms,while a headless server machine will likely not include such a touchinput device. It will be appreciated that the I/O components 1150 mayinclude many other components that are not shown in FIG. 11 . The I/Ocomponents 1150 are grouped according to functionality merely forsimplifying the following discussion and the grouping is in no waylimiting. In various example embodiments, the I/O components 1150 mayinclude output components 1152 and input components 1154. The outputcomponents 1152 may include visual components (e.g., a display such as aplasma display panel (PDP), a light emitting diode (LED) display, aliquid crystal display (LCD), a projector, or a cathode ray tube (CRT)),acoustic components (e.g., speakers), other signal generators, and soforth. The input components 1154 may include alphanumeric inputcomponents (e.g., a keyboard, a touch screen configured to receivealphanumeric input, a photo-optical keyboard, or other alphanumericinput components), point-based input components (e.g., a mouse, atouchpad, a trackball, a joystick, a motion sensor, or another pointinginstrument), tactile input components (e.g., a physical button, a touchscreen that provides location and/or force of touches or touch gestures,or other tactile input components), audio input components (e.g., amicrophone), and the like.

NI Communication may be implemented using a wide variety oftechnologies. The I/O components 1150 may include communicationcomponents 1164 operable to couple the machine 1100 to a network 1180via a coupler 1182 or to devices 1160 via a coupling 1162. For example,the communication components 1164 may include a network interfacecomponent or another suitable device to interface with the network 1180.In further examples, the communication components 1164 may include wiredcommunication components, wireless communication components, cellularcommunication components, and other communication components to providecommunication via other modalities. The devices 1160 may be anothermachine or any of a wide variety of peripheral devices (e.g., aperipheral device coupled via a universal serial bus (USB)). Forexample, as noted above, the machine 1100 may correspond to any one ofthe remote computing device 106, the access management system 110, thecompute service manager 112, the execution platform 114, the accessmanagement system 118, the Web proxy 120, and the devices 1160 mayinclude any other of these systems and devices.

The various memories (e.g., 1130, 1132, 1134, and/or memory of theprocessor(s) 1110 and/or the storage unit 1136) may store one or moresets of instructions 1116 and data structures (e.g., software) embodyingor utilized by any one or more of the methodologies or functionsdescribed herein. These instructions 1116, when executed by theprocessor(s) 1110, cause various operations to implement the disclosedembodiments.

As used herein, the terms “machine-storage medium,” “device-storagemedium,” and “computer-storage medium” mean the same thing and may beused interchangeably in this disclosure. The terms refer to a single ormultiple storage devices and/or media (e.g., a centralized ordistributed database, and/or associated caches and servers) that storeexecutable instructions and/or data. The terms shall accordingly betaken to include, but not be limited to, solid-state memories, andoptical and magnetic media, including memory internal or external toprocessors. Specific examples of machine-storage media, computer-storagemedia, and/or device-storage media include non-volatile memory,including by way of example semiconductor memory devices, e.g., erasableprogrammable read-only memory (EPROM), electrically erasableprogrammable read-only memory (EEPROM), field-programmable gate arrays(FPGAs), and flash memory devices; magnetic disks such as internal harddisks and removable disks; magneto-optical disks; and CD-ROM and DVD-ROMdisks. The terms “machine-storage media,” “computer-storage media,” and“device-storage media” specifically exclude carrier waves, modulateddata signals, and other such media, at least some of which are coveredunder the term “signal medium” discussed below.

In various example embodiments, one or more portions of the network 1180may be an ad hoc network, an intranet, an extranet, a virtual privatenetwork. (VPN), a local-area network (LAN), a wireless LAN (WLAN), awide-area network (WAN), a wireless WAN (WWAN), a metropolitan-areanetwork MAN), the Internet, a portion of the Internet, a portion of thepublic switched telephone network (PSTN), a plain old telephone service(POTS) network, a cellular telephone network, a wireless network, aWi-Fi® network, another type of network, or a combination of two or moresuch networks. For example, the network 1180 or a portion of the network1180 may include a wireless or cellular network, and the coupling 1182may be a Code Division Multiple Access (CDMA) connection, a GlobalSystem for Mobile communications (GSM) connection, or another type ofcellular or wireless coupling. In this example, the coupling 1182 mayimplement any of a variety of types of data transfer technology, such asSingle Carrier Radio Transmission Technology (1×RTT), Evolution-DataOptimized (EVDO) technology, General Packet Radio Service (CPRS)technology, Enhanced Data rates for GSM Evolution (EDGE) technology,third Generation Partnership Project (3GPP) including 3G, fourthgeneration wireless (4G) networks, Universal Mobile TelecommunicationsSystem (UMTS), High-Speed Packet Access (HSPA), Worldwideinteroperability for Microwave Access (WiMAX), Long Term. Evolution(LTE) standard, others defined by various standard-settingorganizations, other long-range protocols, or other data transfertechnology.

The instructions 1116 may be transmitted or received over the network1180 using a transmission medium via a network interface device (e.g., anetwork interface component included in the communication components1164) and utilizing any one of a number of well-known transfer protocols(e.g., hypertext transfer protocol (HTTP)). Similarly, the instructions1116 may be transmitted or received using a transmission medium via thecoupling 1162 (e.g., a peer-to-peer coupling) to the devices 1160. Theterms “transmission medium” and “signal medium” mean the same thing andmay be used interchangeably in this disclosure. The terms “transmissionmedium” and “signal medium” shall be taken to include any intangiblemedium that is capable of storing, encoding, or carrying theinstructions 1116 for execution by the machine 1100, and include digitalor analog communications signals or other intangible media to facilitatecommunication of such software. Hence, the terms “transmission medium”and “signal medium” shall be taken to include any form of modulated datasignal, carrier wave, and so forth. The term “modulated data signal”means a signal that has one or more of its characteristics set orchanged in such a manner as to encode information in the signal.

The terms “machine-readable medium,” “computer-readable medium,” and“device-readable medium” mean the same thing and may be usedinterchangeably in this disclosure. The terms are defined to includeboth machine-storage media and transmission media. Thus, the termsinclude both storage devices/media and carrier waves/modulated datasignals.

The various operations of example methods described herein may beperformed, at least partially, by one or more processors that aretemporarily configured (e.g., by software) or permanently configured toperform the relevant operations. Similarly, the methods described hereinmay be at least partially processor-implemented. For example, at leastsome of the operations of the methods described herein may be performedby one or more processors. The performance of certain of the operationsmay be distributed among the one or more processors, not only residingwithin a single machine, but also deployed across a number of machines.In some example embodiments, the processor or processors may be locatedin a single location (e.g., within a home environment, an officeenvironment, or a server farm), while in other embodiments theprocessors may be distributed across a number of locations.

Although the embodiments of the present disclosure have been describedwith reference to specific example embodiments, it will lie evident thatvarious modifications and changes may be made to these embodimentswithout departing from the broader scope of the inventive subjectmatter. Accordingly, the specification and drawings are to be regardedin an illustrative rather than a restrictive sense. The accompanyingdrawings that form a part hereof show, by way of illustration, and notof limitation, specific embodiments in which the subject matter may bepracticed. The embodiments illustrated are described in sufficientdetail to enable those skilled in the art to practice the teachingsdisclosed herein. Other embodiments may be used and derived therefrom,such that structural and logical substitutions and changes may be madewithout departing from the scope of this disclosure. This DetailedDescription, therefore, is not to be taken in a limiting sense, and thescope of various embodiments is defined only by the appended claims,along with the full range of equivalents to which such claims areentitled.

Such embodiments of the inventive subject matter may be referred toherein, individually and/or collectively, by the term “invention” merelyfor convenience and without intending to voluntarily limit the scope ofthis application to any single invention or inventive concept if morethan one is in fact disclosed. Thus, although specific embodiments havebeen illustrated and described herein, it should be appreciated that anyarrangement calculated to achieve the same purpose may be substitutedfor the specific embodiments shown. This disclosure is intended to coverany and all adaptations or variations of various embodiments.Combinations of the above embodiments, and other embodiments notspecifically described herein, will be apparent, to those of skill inthe art, upon reviewing the above description.

In this document, the terms “a” or “an” are used, as is common in patentdocuments, to include one or more than one, independent of any otherinstances or usages of “at least one” or “one or more.” In thisdocument, the term “or” is used to refer to a nonexclusive or, such that“A or B” includes “A but not B,” “B but not A,” and “A and B,” unlessotherwise indicated. In the appended claims, the terms “including” and“in which” are used as the plain-English equivalents of the respectiveterms “comprising” and “wherein.” Also, in the following claims, theterms “including” and “comprising” are open-ended; that is, a system,device, article, or process that includes elements in addition to thoselisted after such a term in a claim is still deemed to fall within thescope of that claim.

Described implementations of the subject matter can include one or morefeatures, alone or in combination as illustrated below by way ofexample.

Example 1. A method comprising: generating, by a requester databaseaccount of a distributed database, a clean room query request against ashared data set comprising requester data set from the requesterdatabase account and a provider data set from a provider databaseaccount of the distributed database, the requester database account nothaving access through the distributed database to the provider data setin plain text format, the provider database account not having accessthrough the distributed database to the requester data set in plain textformat, generating, by the requester database account, a requestershared data table comprising the requester data set in encrypted formatthat is encrypted using a pass phrase that is private to the requesterdatabase account; generating, by the provider database account, a userdefined function that generates results data using the requester shareddata table in the encrypted format and the provider data set, whereinthe user defined function accepting a decryption parameter to generatethe results data by decrypting the requester data set; generating, bythe requester database account, the results data for the clean roomquery request by inputting, by the requester database account, the passphrase into the user defined function and executing the user definedfunction.

Example 2. The method of example 1, wherein the requester databaseaccount executes the user defined function and the user defined functionexecutes on a provider database instance of the provider databaseaccount on the distributed database.

Example 3. The method of examples 1 or 2, further comprising: sharingthe requester data set in the encrypted format with the providerdatabase account as a shared database object of the distributeddatabase.

Example 4. The method of examples 1-3, further comprising: sharing, bythe provider database account, the user defined function with therequester database account.

Example 5. The method of examples 1-4, wherein the user defined functiongenerates the results data using metadata references to the providerdata set.

Example 6. The method of examples 1-5, wherein the pass phrase isprivate to the requester database.

Example 7. The method of examples 1-6, wherein the provider databaseaccount cannot generate the results data by executing the user definedfunction without inputting the pass phrase due to the requester data setbeing in the encrypted format.

Example 8. The method of examples 1-7, further comprising: storing, bythe provider database account, available values table that specifieswhich portions of the provider data set are accessible to the requesterdatabase account via the clean room query request.

Example 9. The method of examples 1-8, wherein the clean room queryrequest specifies portions of the provider data set for processing inthe clean room query request.

Example 10. The method of examples 1-9, further comprising: determiningwhether the requester database account has access to the portions of theprovider data set that are specified in the clean room query request,wherein the access is determined using the available values table of theprovider database account.

Example 11. A system comprising: one or more processors of a machine;and a memory storing instructions that, when executed by the one or moreprocessors, cause the machine to perform operations implementing any oneof example methods 1 to 10.

Example 12. A machine-readable storage device embodying instructionsthat, when executed by a machine, cause the machine to performoperations implementing any one of example methods 1 to 10.

1. A method comprising: generating, on a requester database system of adistributed database, a clean room query request against a shared dataset comprising a requester data set from the requester database systemand a provider data set from a provider database system of thedistributed database, the requester database system not having accessthrough the distributed database to the provider data set in plain textformat, the provider database system not having access through thedistributed database to the requester data set in plain text format;generating, on the requester database system, a requester shared datatable comprising the requester data set in an encrypted format that isencrypted using a pass phrase that is private to the requester databasesystem; receiving, from the provider database system, a shared userdefined function that generates results data by processing the requestershared data table and the provider data set in a sandbox executionenvironment, the shared user defined function configured to accept adecryption parameter to generate the results data by decrypting therequester data set in the sandbox execution environment to match shareduser data that is shared between the requester data set and the providerdata set without providing access to the requester database system touser identifier values of the provider data set; and generating, on therequester database system, the results data for the clean room queryrequest by inputting the pass phrase into the shared user definedfunction as the decryption parameter and executing the shared userdefined function in the sandbox execution environment.
 2. The method ofclaim 1, wherein the requester database system executes the shared userdefined function and the shared user defined function executes on arequester database instance of the requester database system on thedistributed database.
 3. The method of claim 1, further comprising:sharing the requester data set in the encrypted format with the providerdatabase system as a shared database object of the distributed database.4. The method of claim 1, further comprising: receiving, from theprovider database system, the shared user defined function as a shareddatabase object of the distributed database.
 5. The method of claim 1,wherein the shared user defined function generates the results datausing metadata references to the provider data set.
 6. The method ofclaim 1, wherein the pass phrase is private to the requester databasesystem.
 7. The method of claim 1, wherein the provider database systemcannot generate the results data by executing the shared user definedfunction without inputting the pass phrase due to the requester data setbeing in the encrypted format.
 8. The method of claim 1, furthercomprising: receiving, by the requester database system, from theprovider database system, an available values table that specifies whichportions of the provider data set are accessible to the requesterdatabase system via the clean room query request.
 9. The method of claim8, wherein the clean room query request specifies one or more portionsof the provider data set for processing in the clean room query request.10. The method of claim 9, further comprising: executing the shared userdefined function on a requester database system instance of therequester database system, wherein executing the shared user definedfunction comprises determining whether the requester database system hasaccess to the portions of the provider data set that are specified inthe clean room query request, wherein the access is determined using theavailable values table of the provider database system.
 11. A systemcomprising: one or more processors of a machine; and a memory storinginstructions that, when executed by the one or more processors, causethe machine to perform operations comprising: generating, on a requesterdatabase system of a distributed database, a clean room query requestagainst a shared data set comprising a requester data set from therequester database system and a provider data set from a providerdatabase system of the distributed database, the requester databasesystem not having access through the distributed database to theprovider data set in plain text format, the provider database system nothaving access through the distributed database to the requester data setin plain text format; generating, by the requester database system, arequester shared data table comprising the requester data set inencrypted format that is encrypted using a pass phrase that is privateto the requester database system; receiving, from the provider databasesystem, a shared user defined function that generates results data byprocessing the requester shared data table and the provider data set ina sandbox execution environment, the shared user defined functionconfigured to accept a decryption parameter to generate the results databy decrypting the requester data set in the sandbox executionenvironment to match shared user data that is shared between therequester data set and the provider data set without providing access tothe requester database system to user identifier values of the providerdata set; and generating, on the requester database system, the resultsdata for the clean room query request by inputting the pass phrase intothe shared user defined function as the decryption parameter andexecuting the shared user defined function in the sandbox executionenvironment.
 12. The system of claim 11, wherein the requester databasesystem executes the shared user defined function and the shared userdefined function executes on a requester database instance of therequester database system on the distributed database.
 13. The system ofclaim 11, further comprising: sharing the requester data set in theencrypted format with the provider database system as a shared databaseobject of the distributed database.
 14. The system of claim 11, furthercomprising: receiving, from the provider database system, the shareduser defined function as a shared database object of the distributeddatabase.
 15. The system of claim 11, wherein the shared user definedfunction generates the results data using metadata references to theprovider data set.
 16. The system of claim 11, wherein the pass phraseis private to the requester database system.
 17. The system of claim 11,wherein the provider database system cannot generate the results data byexecuting the shared user defined function without inputting the passphrase due to the requester data set being in the encrypted format. 18.The system of claim 11, further comprising: receiving, by the requesterdatabase system, from the provider database system, an available valuestable that specifies which portions of the provider data set areaccessible to the requester database system via the clean room queryrequest.
 19. A non-transitory machine-readable storage medium comprisinginstructions that, when executed by a machine, cause the machine toperform operations comprising: generating, on a requester databasesystem of a distributed database, a clean room query request against ashared data set comprising a requester data set from the requesterdatabase system and a provider data set from a provider database systemof the distributed database, the requester database system not havingaccess through the distributed database to the provider data set inplain text format, the provider database system not having accessthrough the distributed database to the requester data set in plain textformat; generating, on the requester database system, a requester shareddata table comprising the requester data set in encrypted format that isencrypted using a pass phrase that is private to the requester databasesystem; receiving, from the provider database system, a shared userdefined function that generates results data by processing the requestershared data table and the provider data set in a sandbox executionenvironment, the shared user defined function configured to accept adecryption parameter to generate the results data by decrypting therequester data set in the sandbox execution environment to match shareduser data that is shared between the requester data set and the providerdata set without providing access to the requester database system touser identifier values of the provider data set; and generating, on therequester database system, the results data for the clean room queryrequest by inputting the pass phrase into the shared user definedfunction as the decryption parameter and executing the shared userdefined function in the sandbox execution environment.
 20. Thenon-transitory machine-readable storage medium of claim 19, wherein therequester database system executes the shared user defined function andthe shared user defined function executes on a requester databaseinstance of the requester database system on the distributed database.